DHS Mandates DMARC, HTTPS for All US Federal Agencies

The US Department of Homeland Security (DHS) has announced that it will require federal agencies to use DMARC email security and HTTPS, to protect employees and those corresponding with the federal government.

Assistant DHS Secretary Jeanette Manfra announced that the department would issue a binding directive requiring agencies to use the two security protocols.

A DMARC policy thwarts cyber-criminals who hack into user accounts and then scrape the address books; they then use a different server to spoof messages from the hacked user to his or her own contacts. They do this for spam and fraud purposes, for phishing and to spread malware. DMARC combats this by allowing a sender to indicate that its emails are protected, and authenticates that messages are coming from the domain that they purport to be coming from. In practice, it means that it will be more difficult for nation-state actors or fraudsters to impersonate federal employees.

HTTPS meanwhile provides encrypted communications between a user and a server, preventing communications from being intercepted or eavesdropped upon.

In July, Sen. Ron Wyden (D-Oregon) sent a letter to Manfra asking that DHS require agencies to use DMARC.

The move is similar to what the UK implemented last year. In the US, agencies will have 90 days to implement DMARC and 120 days to upgrade to HTTPS. In a recent survey, just 135 federal email domains had DMARC deployed, out of a total of 1,315, with fewer than half of those actually activated.